[611] in bugtraq
X Window System security
daemon@ATHENA.MIT.EDU (Stephen Gildea)
Wed Jan 11 13:25:46 1995
To: bugtraq@fc.net
Cc: bf@morgan.com (Benjamin Fried), ddk@beta.lanl.gov, e41126@rl.gov,
Jjd@bbn.com
In-Reply-To: Message from bf@morgan.com of 10 Jan 95 13:10:45 EST
<9501101810.AA08507@rs1.fid.morgan.com>
Date: Wed, 11 Jan 1995 11:13:48 EST
From: Stephen Gildea <gildea@x.org>
There are already good tools for setting up keys and passing them
around. xdm sets up keys. xrsh passes them to remote clients.
Host-based authorization isn't the only revokable access method.
Anything that has principals, rather than passwords, has this
advantage. In X11R6 there are two such schemes, MIT-KERBEROS-5 and
SUN-DES-1. (SUN-DES-1 was also in R5.) So while you can't take an
MIT-MAGIC-COOKIE away from someone, you can deny KRB:gildea@x.org
further connection rights. See the Xsecurity(1) manual page for
details.
Note that none of these methods allow you to revoke the authorization
of an already-connected client.
< Stephen
X Consortium
